EyePyramid: I forgot to do my homework!

Today Italian news were surrounded by the story of brother and sister arrested in Italy for spying on top public officials, institutions and high profile VIPs.

The EyePyramid story has been widelyreported and probably it is going to monopolise Italian media for the next week. So I do not want to write about it.

The only official information available (right now) are in the subpoena / arrest warrant (sorry, in Italian). It is filled of operational details about how the bad guys were running their business.

Technically speaking, they wrote a VB.NET malware with RAT / spyware features. They infected high level targets via spear-phishing and pivoted on their email to infect more high level targets. The whole thing was reporting and exfiltering data to a C&C.

@phretor wrote a digest with all the available IoC and @ReaQta guys are publishing some details from malware analysis.

So, there is no much to say. This is not so advanced to be dubbed as APT$foo or $barBear, although we understood how we do not need cutting edge malware to compromise high level targets.

Now the fun part: what about operational details? The arrest warrant is plenty of interesting suggestions by these malware operators:

Side channel over cloud storage or email: why you should deploy a complex side channel if you can just push data to the cloud? They stole small files just sending them via email and large files uploading to some cloud storage sites.

Licensed software: when writing malware, if you need a commercial library, be honest and fair. Buy a proper license using your real name.

Privacy Protect Everything: for your C&C forgot fast flux and DGA, simply old stuff just works. With a bunch of domains and a whois privacy option you can rule the world!

Premium DSL support: if you are in trouble with your internet link, just tell the support you are bot herding like a boss.

Buy chocolate flavoured smart cards: so next time you can just eat them.